Risk Researcher, Centre for Risk Studies, Judge Business School at University of Cambridge, and CEO, Concinnity Ltd.
Dr. Andrew Coburn
SVP, RMS, Inc., and Director of Advisory Board, Cambridge Centre for Risk Studies, Judge Business School
On 13 August the ‘ShadowBrokers’, a previously unknown hacker group, posted an online auction of a set of files in two encrypted folders. As evidence of what they were selling, they provided the encryption key to the first folder, effectively distributing for free the files contained within it. The encryption key to the second folder is available to the highest bidder, who must be prepared to pay a bitcoin sum into an anonymous account.
The contents of the free folder are astonishing. Among them are 15 very high-class exploits for breaking into security devices, firewalls, virtual private networks, and networking equipment, together with 13 implants for persistent access to those devices, and 11 tools for a variety of other hacking purposes. Experts believe that a stash of cyber weapons of this status can only have come from one source: the US National Security Agency. The tools themselves are credited to the ‘Equation Group’ – widely assumed to be a key offensive cyber hacking team at the NSA.
The hackers hacked
At one level, the breach demonstrates that even the most secure and best-defended IT environment can be compromised by someone with sufficient knowledge, skills, and resources. The internet is awash with speculation about who could have achieved this. Could someone have really broken in to the NSA from the outside? Or was this an inside job?
Game changer for cyber risk
The distribution of an entire toolkit of exploits is a potential game changer. ‘Zero day vulnerabilities’ of security devices – previously unknown flaws in IT software systems – are enablers of cyber attack. The exploits include methods to penetrate some of the leading brands of firewall systems, including Cisco ASA, Fortinet FortiGate, and Juniper SRX, potentially exposing companies that use these industry standard security systems to the attacks of anyone who uses these free tools. Most notably, these tools could enable data exfiltration from commercial companies.
How it might compare with our accumulation scenarios
When we developed cyber insurance accumulation scenarios for data exfiltration losses, our stress test ‘Leakomania’ envisioned three zero day vulnerabilities in firewall systems and other software that enabled record amounts of private data to be stolen. ‘Fortress Drawbridge v4.3’ our fictional firewall software had an imagined 15% market share of the firewall market. By contrast, the exploits in the real firewall products include Cisco who have 30% market share, Fortinet who have 10%, and Juniper who have 4%. Our hypothetical stress test scenario resulted in the theft of around 2.5 billion data records from a few thousand US companies – which seemed quite a stretch to some commentators, given that an average year sees around 200 million data records lost. However, this new toolkit in circulation makes such a scenario quite plausible.
A race against the hackers
Of course, the software vendors are not just sitting back and allowing this to happen. Most are scrambling to fix the vulnerabilities highlighted in the exploits. But it may take several months before all the holes are plugged across all companies using the software. It is a race against the hackers. Some of the exploits are several years old and were already known, but these remain useable in many cases. The question is how quickly they can all be closed down.
Financial theft and cloud outage too
It is not just data exfiltration that will be enabled as a result of the release of the cyber weapons cache. The publishing of these exploits could make financial thefts more achievable or enable attacks on cloud service providers. It m also provide tools to assist with other scenarios we have developed including our Erebos Business Blackout cyber attack on the power grid, and, potentially, even silent accumulation scenarios that cause physical damage.
Recommended CAMS Scenario for ShadowBrokers
The Cambridge Centre for Risk Studies designed the Cyber Accumulation Management System for RMS to provide to its insurance client base. For users of RMS CAMS who want to assess a contingency stress test for the potential consequences of the ShadowBrokers auction on your portfolio, we believe that the following constitutes a plausible scenario:
A combined loss total from the following:
- Leakomania Reference View (DE02)
- Financial Transaction Theft Lower Stress Test (FT01)
- Cloud Compromise Lower Stress Test (CC01)
The enigma of the encrypted folder
There is no way of knowing what the second folder that is being allegedly auctioned by the ShadowBrokers team contains. The group’s claims could be amount to a hoax, or the folder could contain even more valuable exploits and cyber weaponry. Active security service teams will likely make it extremely difficult for anyone to actually submit a payment to buy access to the file and use the toolkit it apparently contains. However, if a full set of highly advanced cyber hacking tools falls into the wrong hands then we could see a wave of unprecedented cyber crime and insured loss. We will keep a careful watch on any emerging trends of cyber incidents that suggest that the game has suddenly changed.
A wake up call
One possible outcome from this event is that this could spur a step-change in improved and intelligent security across many companies. This would lead to a reduction in cyber insurance risk, rather than an outlook of inevitable loss. Perhaps it will be the wake up call the industry has needed.
Could we be more proactive?
There is no doubt that the ShadowBrokers auction has real and unprecedented catastrophe potential for the nascent cyber insurance industry. What would it be worth for the insurance industry to avoid the potential for this kind of severe loss? Would it be ethical for a consortium of insurers to bid for the ShadowBrokers folder in order to take it out of circulation? Or should the industry rely on the NSA to provide blanket protection for all? The insurance industry is exploring its role in being a cyber risk partner to the corporate world. Is its role simply to pay the claims – or can it act more collectively to mitigate and reduce the risk for its policyholders? In 17th century London the early fire insurers operated their own fire brigades. In the 21st century perhaps insurers should operate their own cyber response teams to extinguish cyber sparks like the box of matches being offered for sale by the ShadowBrokers.